3b8280f08a
Ships the non-UI piece of Stream D: a draft-aware write surface over NodeAcl
that enforces the Phase 6.2 plan's scope-uniqueness + grant-shape invariants.
Blazor UI pieces (RoleGrantsTab + AclsTab refresh + SignalR invalidation +
visual-compliance reviewer signoff) are deferred to the Phase 6.1-style
follow-up task.
Admin.Services:
- ValidatedNodeAclAuthoringService — alongside existing NodeAclService (raw
CRUD, kept for read + revoke paths). GrantAsync enforces:
* Permissions != None (decision #129 — additive only, no empty grants).
* Cluster scope has null ScopeId.
* Sub-cluster scope requires a populated ScopeId.
* No duplicate (GenerationId, ClusterId, LdapGroup, ScopeKind, ScopeId)
tuple — operator updates the row instead of inserting a duplicate.
UpdatePermissionsAsync also rejects None (operator revokes via NodeAclService).
Violations throw InvalidNodeAclGrantException.
Tests (10 new in Admin.Tests/ValidatedNodeAclAuthoringServiceTests):
- Grant rejects None permissions.
- Grant rejects Cluster-scope with ScopeId / sub-cluster without ScopeId.
- Grant succeeds on well-formed row.
- Grant rejects duplicate (group, scope) in same draft.
- Grant allows same group at different scope.
- Grant allows same (group, scope) in different draft.
- UpdatePermissions rejects None.
- UpdatePermissions round-trips new flags + notes.
- UpdatePermissions on unknown rowid throws.
Microsoft.EntityFrameworkCore.InMemory 10.0.0 added to Admin.Tests csproj.
Full solution dotnet test: 1097 passing (was 1087, +10). Phase 6.2 total is
now 1087+10 = 1097; baseline 906 → +191 net across Phase 6.1 (all streams) +
Phase 6.2 (Streams A, B, C foundation, D data layer).
Stream D follow-up task tracks: RoleGrantsTab CRUD over LdapGroupRoleMapping,
AclsTab write-through + Probe-this-permission diagnostic, draft-diff ACL
section, SignalR PermissionTrieCache invalidation push.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
118 lines
5.3 KiB
C#
118 lines
5.3 KiB
C#
using Microsoft.EntityFrameworkCore;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
|
|
|
|
/// <summary>
|
|
/// Draft-aware write surface over <see cref="NodeAcl"/>. Replaces direct
|
|
/// <see cref="NodeAclService"/> CRUD for Admin UI grant authoring; the raw service stays
|
|
/// as the read / delete surface. Enforces the invariants listed in Phase 6.2 Stream D.2:
|
|
/// scope-uniqueness per (LdapGroup, ScopeKind, ScopeId, GenerationId), grant shape
|
|
/// consistency, and no empty permission masks.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>Per decision #129 grants are additive — <see cref="NodePermissions.None"/> is
|
|
/// rejected at write time. Explicit Deny is v2.1 and is not representable in the current
|
|
/// <c>NodeAcl</c> row; attempts to express it (e.g. empty permission set) surface as
|
|
/// <see cref="InvalidNodeAclGrantException"/>.</para>
|
|
///
|
|
/// <para>Draft scope: writes always target an unpublished (Draft-state) generation id.
|
|
/// Once a generation publishes, its rows are frozen.</para>
|
|
/// </remarks>
|
|
public sealed class ValidatedNodeAclAuthoringService(OtOpcUaConfigDbContext db)
|
|
{
|
|
/// <summary>Add a new grant row to the given draft generation.</summary>
|
|
public async Task<NodeAcl> GrantAsync(
|
|
long draftGenerationId,
|
|
string clusterId,
|
|
string ldapGroup,
|
|
NodeAclScopeKind scopeKind,
|
|
string? scopeId,
|
|
NodePermissions permissions,
|
|
string? notes,
|
|
CancellationToken cancellationToken)
|
|
{
|
|
ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
|
|
ArgumentException.ThrowIfNullOrWhiteSpace(ldapGroup);
|
|
|
|
ValidateGrantShape(scopeKind, scopeId, permissions);
|
|
await EnsureNoDuplicate(draftGenerationId, clusterId, ldapGroup, scopeKind, scopeId, cancellationToken).ConfigureAwait(false);
|
|
|
|
var row = new NodeAcl
|
|
{
|
|
GenerationId = draftGenerationId,
|
|
NodeAclId = $"acl-{Guid.NewGuid():N}"[..20],
|
|
ClusterId = clusterId,
|
|
LdapGroup = ldapGroup,
|
|
ScopeKind = scopeKind,
|
|
ScopeId = scopeId,
|
|
PermissionFlags = permissions,
|
|
Notes = notes,
|
|
};
|
|
db.NodeAcls.Add(row);
|
|
await db.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
|
|
return row;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Replace an existing grant's permission set in place. Validates the new shape;
|
|
/// rejects attempts to blank-out to None (that's a Revoke via <see cref="NodeAclService"/>).
|
|
/// </summary>
|
|
public async Task<NodeAcl> UpdatePermissionsAsync(
|
|
Guid nodeAclRowId,
|
|
NodePermissions newPermissions,
|
|
string? notes,
|
|
CancellationToken cancellationToken)
|
|
{
|
|
if (newPermissions == NodePermissions.None)
|
|
throw new InvalidNodeAclGrantException(
|
|
"Permission set cannot be None — revoke the row instead of writing an empty grant.");
|
|
|
|
var row = await db.NodeAcls.FirstOrDefaultAsync(a => a.NodeAclRowId == nodeAclRowId, cancellationToken).ConfigureAwait(false)
|
|
?? throw new InvalidNodeAclGrantException($"NodeAcl row {nodeAclRowId} not found.");
|
|
|
|
row.PermissionFlags = newPermissions;
|
|
if (notes is not null) row.Notes = notes;
|
|
await db.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
|
|
return row;
|
|
}
|
|
|
|
private static void ValidateGrantShape(NodeAclScopeKind scopeKind, string? scopeId, NodePermissions permissions)
|
|
{
|
|
if (permissions == NodePermissions.None)
|
|
throw new InvalidNodeAclGrantException(
|
|
"Permission set cannot be None — grants must carry at least one flag (decision #129, additive only).");
|
|
|
|
if (scopeKind == NodeAclScopeKind.Cluster && !string.IsNullOrEmpty(scopeId))
|
|
throw new InvalidNodeAclGrantException(
|
|
"Cluster-scope grants must have null ScopeId. ScopeId only applies to sub-cluster scopes.");
|
|
|
|
if (scopeKind != NodeAclScopeKind.Cluster && string.IsNullOrEmpty(scopeId))
|
|
throw new InvalidNodeAclGrantException(
|
|
$"ScopeKind={scopeKind} requires a populated ScopeId.");
|
|
}
|
|
|
|
private async Task EnsureNoDuplicate(
|
|
long generationId, string clusterId, string ldapGroup, NodeAclScopeKind scopeKind, string? scopeId,
|
|
CancellationToken cancellationToken)
|
|
{
|
|
var exists = await db.NodeAcls.AsNoTracking()
|
|
.AnyAsync(a => a.GenerationId == generationId
|
|
&& a.ClusterId == clusterId
|
|
&& a.LdapGroup == ldapGroup
|
|
&& a.ScopeKind == scopeKind
|
|
&& a.ScopeId == scopeId,
|
|
cancellationToken).ConfigureAwait(false);
|
|
|
|
if (exists)
|
|
throw new InvalidNodeAclGrantException(
|
|
$"A grant for (LdapGroup={ldapGroup}, ScopeKind={scopeKind}, ScopeId={scopeId}) already exists in generation {generationId}. " +
|
|
"Update the existing row's permissions instead of inserting a duplicate.");
|
|
}
|
|
}
|
|
|
|
/// <summary>Thrown when a <see cref="NodeAcl"/> grant authoring request violates an invariant.</summary>
|
|
public sealed class InvalidNodeAclGrantException(string message) : Exception(message);
|